Flitch
Integrations

CockroachDB

Connect a CockroachDB cluster with a connection string, client certificate, or JWT SSO.

Reads tables and views from a CockroachDB cluster over the Postgres wire protocol. Queries run read-only.

Add a source

CockroachDB supports a connection string (a SQL user over TLS), a client certificate (mTLS, recommended for production), and JWT / SSO (an OIDC token via Cluster SSO).

Prerequisites

  • A CockroachDB cluster reachable from the connector.
  • A SQL user limited to SELECT on the tables you want.

Create a read-only user

CREATE USER flitch_readonly WITH PASSWORD 'choose-a-strong-password';
GRANT CONNECT ON DATABASE defaultdb TO flitch_readonly;
GRANT USAGE ON SCHEMA public TO flitch_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO flitch_readonly;

USAGE on the schema is required: without it the user can't see the schema and the table list comes back empty.

Copy the connection string

In CockroachDB Cloud, open the cluster, click Connect (top right), pick the SQL user and database, then copy the General connection string:

postgresql://flitch_readonly:password@host:26257/defaultdb?sslmode=verify-full

Open the form

Go to DataAddCockroachDB, paste the connection string, then pick datasets.

Issue a client certificate

Create a client certificate and key for the SQL user (CockroachDB Cloud: Connect → certificate; self-hosted: cockroach cert create-client).

Open the form

Go to DataAddCockroachDB, pick Client Certificate (mTLS), and paste the CA certificate, client certificate, and client key.

Enable JWT auth

Enable server.jwt_authentication on the cluster and register your identity provider (issuer, audience).

Open the form

Go to DataAddCockroachDB, pick JWT / SSO (OIDC), and provide a token, or a token URL plus client credentials.

Team-wide credential (optional)

A team admin can store one shared CockroachDB credential in Settings → Data connections; new connections then default to it, with no per-connection secret.

Refresh

Refresh is off by default. Enable it to schedule a background refresh and serve from cache between runs. See Refresh.

Troubleshooting

TLS certificate not trusted. CockroachDB defaults to verify-full; provide the cluster CA certificate.

Permission denied. Grant SELECT on the schema/table to the read-only user.

Neon

Connect a Neon serverless Postgres database with a connection string.

Amazon Redshift

Connect an Amazon Redshift cluster with a connection string or AWS IAM credentials.

On this page

Add a sourcePrerequisitesCreate a read-only userCopy the connection stringOpen the formIssue a client certificateOpen the formEnable JWT authOpen the formTeam-wide credential (optional)RefreshTroubleshooting